Phase 2 Offline MVP Execution Report

Verdict: PHASE2_MVP_PASS · Date: 2026-06-10 · Run: 27248508492 · Venue: GitHub-hosted ephemeral runner (NOT Mac-local) · Production mutation: NO

The offline, packet-derived, NON-GATING read/report inspector (ip_dot_inspector, rev4) was built and run under the B4′ deny-by-default sandbox, and its rev4 acceptance/negative tests ran 31/31. Evidence, not authority.

1. What was built

ip_dot_inspector — stdlib-only Python package, distroless image, runs as nonroot 65532. No live KB/PG read, no PG driver, no KB writer, no gate consumer, no network, no subprocess, no dynamic import. Output is the local triplet only (report.json + report.md + checkpoint-*.md) to the write-only /out mount; production_mutation:false.

Modules (each declares ALLOWED_ACTIONS ⊆ {READ_PACKET_ITEM, WRITE_LOCAL_REPORT}): contract, packet_loader (P0 + provenance G10), selfcheck (P1 capability/sandbox self-check, fail-closed), claims (P2 inventory + UNPARSED_REGION/completeness G9), adequacy (P3/P4 §3 chain + discovery resolver + denominator/dual-corpus/reconciliation gates), verdict (P5 precedence + global-wording lint + scope_of_denial enforcement + non-gating stamps), report (P6 local triplet emitter), fix7_pilot, engine, __main__. Full source retained in Huyen1974/tool-kiem-thu-ci and embedded in planning/ci-phase2-phase3-workflow-and-harness-packet-2026-06-10.md.

2. L2 build-guard (guard harness) — NO_BUILD_GUARD_VIOLATION

tools/build_guard.py is an AST + lint scanner enforcing G4 (no subprocess/shell/exec, no socket/HTTP client, no dynamic import, no DB driver, no KB/Directus write SDK, no secrets reader; ALLOWED_ACTIONS ⊆ universe), G8 (no exit-0 path), test #3 (no forbidden positive tokens), #31 (no raw SQL). On the MVP tree: clean (verdict NO_BUILD_GUARD_VIOLATION). It caught one real issue during authoring — a forbidden token READ_LEVEL_ACCEPTABLE present in a comment — which was removed before the run (evidence the guard works).

3. Tests — 31/31 PASS

pytest 31 passed, 0 failed, 0 errors. Covers matrix #1–#45 (MVP-LOGIC subset) + negatives + L2 build-guard negative tests (feed bad source → expect rejection) + P1 fail-closed. Binding: reports/phase2-offline-mvp-acceptance-matrix-binding-2026-06-10.md.

4. MVP run INSIDE the deny-by-default container (L1 integration)

The image was run with the exact B4′ deny-by-default flags (--network none --read-only --cap-drop ALL --security-opt no-new-privileges --security-opt seccomp=startup-safe --env-file /dev/null --user 65532 -v in:ro -v out:rw) against the FIX7 fixture packet. Result:

• container exit 1 (= READ_LEVEL_FAIL per §11; exit codes are diagnostic, not gates)
• final_verdict: READ_LEVEL_FAIL · article14_status: NOT_PROVEN_EXECUTION_UNVERIFIED
• flags: [FLAG_PROSE_ONLY_PASS] · decision_effect: NONE · may_gate: false
• writes_performed: ['/out/report.json','/out/report.md','/out/checkpoint-fix7-read-report-pilot.md'] · production_mutation: false

This proves the MVP runs offline under the attested L1 boundary and fail-closes to a non-green verdict with the mandated non-gating, scoped, non-global-absence semantics.

5. Honesty (Article 14)

No green verdict and no exit 0 exist anywhere (enforced by build-guard + verdict engine + asserted by tests #1/#3/#36). The MVP never runs a claim, recomputes a hash, opens a driver, or issues a query. Machine detail: reports/phase2-offline-mvp-execution-report-2026-06-10.json. Raw logs: reports/phase2-offline-mvp-raw-log-index-2026-06-10.md.